Analysis

  • max time kernel
    26s
  • max time network
    37s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-10-2023 20:11

General

  • Target

    NEAS.b48dc57cf2add016e8c28592e7ae4a40.exe

  • Size

    88KB

  • MD5

    b48dc57cf2add016e8c28592e7ae4a40

  • SHA1

    ab2e844001c043a5a7ee66469cf00f2da38257d3

  • SHA256

    a0d19e38527e7ec077e2c8a1a6ad94f2a37991ee563298b18163cb98395f0241

  • SHA512

    64777370adec61f83bff1d8f36687410482acb4b9de071a90ef0c1b4d529c6ce23b9637481596ca60f608872ab79366833b4889c854ceeae8e154d84e383aef3

  • SSDEEP

    1536:f5nfmIpxDWbUfd3aOPmxxEhvgCooXqRQqjh+rmKVsN:f5fvp12UFKcD/6jwqWsN

Malware Config

Signatures

  • Tinba / TinyBanker

    Banking trojan which uses packet sniffing to steal data.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
      PID:3804
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      1⤵
        PID:3716
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
        1⤵
          PID:3456
        • C:\Windows\Explorer.EXE
          C:\Windows\Explorer.EXE
          1⤵
            PID:3348
            • C:\Users\Admin\AppData\Local\Temp\NEAS.b48dc57cf2add016e8c28592e7ae4a40.exe
              "C:\Users\Admin\AppData\Local\Temp\NEAS.b48dc57cf2add016e8c28592e7ae4a40.exe"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:4712
              • C:\Windows\SysWOW64\winver.exe
                winver
                3⤵
                • Adds Run key to start application
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of WriteProcessMemory
                PID:4212
          • C:\Windows\system32\taskhostw.exe
            taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
            1⤵
              PID:2912
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
              1⤵
                PID:2856
              • C:\Windows\system32\sihost.exe
                sihost.exe
                1⤵
                  PID:2836

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • memory/2836-15-0x0000000000F80000-0x0000000000F86000-memory.dmp

                  Filesize

                  24KB

                • memory/2856-14-0x0000000000B20000-0x0000000000B26000-memory.dmp

                  Filesize

                  24KB

                • memory/2856-18-0x0000000000B20000-0x0000000000B26000-memory.dmp

                  Filesize

                  24KB

                • memory/2912-16-0x00000000006F0000-0x00000000006F6000-memory.dmp

                  Filesize

                  24KB

                • memory/3348-8-0x00007FF888940000-0x00007FF888941000-memory.dmp

                  Filesize

                  4KB

                • memory/3348-2-0x0000000000BA0000-0x0000000000BA6000-memory.dmp

                  Filesize

                  24KB

                • memory/3348-6-0x00007FF8887AD000-0x00007FF8887AE000-memory.dmp

                  Filesize

                  4KB

                • memory/3348-7-0x00007FF888930000-0x00007FF888931000-memory.dmp

                  Filesize

                  4KB

                • memory/3348-20-0x0000000000D80000-0x0000000000D86000-memory.dmp

                  Filesize

                  24KB

                • memory/3348-17-0x0000000000D80000-0x0000000000D86000-memory.dmp

                  Filesize

                  24KB

                • memory/3348-4-0x0000000000BA0000-0x0000000000BA6000-memory.dmp

                  Filesize

                  24KB

                • memory/3456-19-0x0000000000AB0000-0x0000000000AB6000-memory.dmp

                  Filesize

                  24KB

                • memory/4212-12-0x0000000002450000-0x0000000002456000-memory.dmp

                  Filesize

                  24KB

                • memory/4212-5-0x0000000077A22000-0x0000000077A23000-memory.dmp

                  Filesize

                  4KB

                • memory/4212-3-0x0000000002450000-0x0000000002456000-memory.dmp

                  Filesize

                  24KB

                • memory/4712-10-0x0000000002330000-0x0000000002D30000-memory.dmp

                  Filesize

                  10.0MB

                • memory/4712-9-0x0000000000400000-0x0000000000417000-memory.dmp

                  Filesize

                  92KB

                • memory/4712-0-0x00000000006C0000-0x00000000006C1000-memory.dmp

                  Filesize

                  4KB

                • memory/4712-1-0x0000000002330000-0x0000000002D30000-memory.dmp

                  Filesize

                  10.0MB